CVE-2026-34985
Received Received - Intake
Insecure Direct Object Reference in LORIS Media Module

Publication date: 2026-04-08

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the backend was not applying access checks and it would be possible for someone who should not have access to a file to access it if they know the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34985
EUVD
EUVD-2026-20570
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mcgill loris 28.0.0
mcgill loris From 16.1.0 (inc) to 27.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows unauthorized access to files by bypassing backend access controls in the LORIS media module. Such unauthorized data access could potentially lead to exposure of sensitive or personal data.

Because regulations like GDPR and HIPAA require strict controls over access to personal and sensitive data, this authorization bypass vulnerability could result in non-compliance with these standards if exploited.

Organizations using affected versions of LORIS should update to fixed versions (27.0.3 or 28.0.1) to mitigate the risk and maintain compliance with data protection regulations.

Executive Summary

CVE-2026-34985 is an authorization bypass vulnerability in the media module of the LORIS web application versions 16.1.0 through 28.0.0.

The issue occurs because although the frontend filters files to restrict user access, the backend does not enforce these access checks.

As a result, an attacker who knows the filename of a file can access files they should not be authorized to view.

This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key.

It has been fixed in LORIS versions 27.0.3 and 28.0.1.

Impact Analysis

This vulnerability allows unauthorized users to access files they should not have permission to view if they know the filenames.

Such unauthorized access can lead to exposure of sensitive or confidential neuroimaging research data managed by LORIS.

The CVSS score of 6.3 indicates a moderate severity, meaning the impact on confidentiality, integrity, and availability is low but still significant.

Detection Guidance

This vulnerability involves unauthorized access to files by bypassing backend access controls when the filename is known. Detection would involve monitoring for unusual or unauthorized file access attempts, especially requests to the media module endpoints with filenames that users should not have access to.

Specific commands or tools are not provided in the available resources. However, general approaches could include reviewing web server logs for suspicious access patterns, using network monitoring tools to detect unauthorized file retrieval attempts, or employing web application security scanners to test for authorization bypass vulnerabilities.

Mitigation Strategies

The primary mitigation step is to upgrade LORIS to a fixed version where the vulnerability is resolved. Specifically, upgrading to version 27.0.3 or 28.0.1 will address the authorization bypass issue in the media module.

Until the upgrade can be applied, consider restricting access to the media module backend endpoints to trusted users only, implementing additional access controls at the network or application level, and monitoring for suspicious file access attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34985. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart